From 40d2d87e8ecfe61e37263482ce78eba42acbc8e0 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Fri, 30 May 2025 20:00:33 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2025/1xxx/CVE-2025-1479.json | 121 +++++++++++++++++++++++++++++++-- 2025/2xxx/CVE-2025-2501.json | 92 +++++++++++++++++++++++-- 2025/2xxx/CVE-2025-2502.json | 92 +++++++++++++++++++++++-- 2025/2xxx/CVE-2025-2503.json | 92 +++++++++++++++++++++++-- 2025/48xxx/CVE-2025-48870.json | 8 +-- 2025/48xxx/CVE-2025-48871.json | 8 +-- 2025/48xxx/CVE-2025-48872.json | 8 +-- 2025/48xxx/CVE-2025-48873.json | 8 +-- 2025/48xxx/CVE-2025-48874.json | 8 +-- 2025/48xxx/CVE-2025-48882.json | 63 +++++++++++++++-- 2025/48xxx/CVE-2025-48946.json | 91 +++++++++++++++++++++++-- 2025/48xxx/CVE-2025-48948.json | 68 ++++++++++++++++-- 2025/48xxx/CVE-2025-48949.json | 63 +++++++++++++++-- 2025/5xxx/CVE-2025-5360.json | 114 +++++++++++++++++++++++++++++-- 14 files changed, 780 insertions(+), 56 deletions(-) diff --git a/2025/1xxx/CVE-2025-1479.json b/2025/1xxx/CVE-2025-1479.json index e2bd7960fad..0ab2515aa66 100644 --- a/2025/1xxx/CVE-2025-1479.json +++ b/2025/1xxx/CVE-2025-1479.json @@ -1,17 +1,130 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-1479", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@lenovo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An open debug interface was reported in the Legion Space software included on certain Legion devices that could allow a local attacker to execute arbitrary code." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-489: Active Debug Code", + "cweId": "CWE-489" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Lenovo", + "product": { + "product_data": [ + { + "product_name": "Legion Space for Legion Go", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.2.3.8" + } + ] + } + }, + { + "product_name": "Legion Space for Legion PC", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "1.4.11.4" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://support.lenovo.com/us/en/product_security/LEN-186929", + "refsource": "MISC", + "name": "https://support.lenovo.com/us/en/product_security/LEN-186929" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update Legion Space for Legion Go devices to version 1.2.3.8 (or newer).
" + } + ], + "value": "Update Legion Space for Legion Go devices to version 1.2.3.8 (or newer)." + }, + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update Legion Space for Legion PC devices to version 1.4.11.4 (or newer).\n\n
" + } + ], + "value": "Update Legion Space for Legion PC devices to version 1.4.11.4 (or newer)." + } + ], + "credits": [ + { + "lang": "en", + "value": "Lenovo thanks Aobo Wang(@M4x_1997) of Chaitin Security Research Lab for reporting this issue." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "LOW", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "LOW", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "version": "3.1" } ] } diff --git a/2025/2xxx/CVE-2025-2501.json b/2025/2xxx/CVE-2025-2501.json index 950ffab6953..5a40e1071b5 100644 --- a/2025/2xxx/CVE-2025-2501.json +++ b/2025/2xxx/CVE-2025-2501.json @@ -1,17 +1,101 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-2501", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@lenovo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An untrusted search path vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-426: Untrusted Search Path", + "cweId": "CWE-426" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Lenovo", + "product": { + "product_data": [ + { + "product_name": "PC Manager", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "5.1.110.5082" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://iknow.lenovo.com.cn/detail/428586", + "refsource": "MISC", + "name": "https://iknow.lenovo.com.cn/detail/428586" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update PC Manager to version 5.1.110.5082 or later.\n\n
" + } + ], + "value": "Update PC Manager to version 5.1.110.5082 or later." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/2xxx/CVE-2025-2502.json b/2025/2xxx/CVE-2025-2502.json index 99c963c4b9a..e5953b32611 100644 --- a/2025/2xxx/CVE-2025-2502.json +++ b/2025/2xxx/CVE-2025-2502.json @@ -1,17 +1,101 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-2502", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@lenovo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An improper default permissions vulnerability was reported in Lenovo PC Manager that could allow a local attacker to elevate privileges." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-276: Incorrect Default Permissions", + "cweId": "CWE-276" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Lenovo", + "product": { + "product_data": [ + { + "product_name": "PC Manager", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "5.1.110.5082" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://iknow.lenovo.com.cn/detail/428586", + "refsource": "MISC", + "name": "https://iknow.lenovo.com.cn/detail/428586" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "Update PC Manager to version 5.1.110.5082 or later.\n\n
" + } + ], + "value": "Update PC Manager to version 5.1.110.5082 or later." + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/2xxx/CVE-2025-2503.json b/2025/2xxx/CVE-2025-2503.json index ee3990ee03f..d6746c18450 100644 --- a/2025/2xxx/CVE-2025-2503.json +++ b/2025/2xxx/CVE-2025-2503.json @@ -1,17 +1,101 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-2503", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "psirt@lenovo.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "An improper permission handling vulnerability was reported in Lenovo PC Manager that could allow a local attacker to perform arbitrary file deletions as an elevated user." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-280: Improper Handling of Insufficient Permissions or Privileges", + "cweId": "CWE-280" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Lenovo", + "product": { + "product_data": [ + { + "product_name": "PC Manager", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_name": "0", + "version_value": "5.1.110.5082" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://iknow.lenovo.com.cn/detail/428586", + "refsource": "MISC", + "name": "https://iknow.lenovo.com.cn/detail/428586" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.2.0" + }, + "source": { + "discovery": "UNKNOWN" + }, + "solution": [ + { + "lang": "en", + "supportingMedia": [ + { + "base64": false, + "type": "text/html", + "value": "https://iknow.lenovo.com.cn/detail/428586
" + } + ], + "value": "https://iknow.lenovo.com.cn/detail/428586" + } + ], + "impact": { + "cvss": [ + { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "NONE", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", + "version": "3.1" } ] } diff --git a/2025/48xxx/CVE-2025-48870.json b/2025/48xxx/CVE-2025-48870.json index 7086eca3f38..73cd10196fb 100644 --- a/2025/48xxx/CVE-2025-48870.json +++ b/2025/48xxx/CVE-2025-48870.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48870", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-47057. Reason: This candidate is a duplicate of CVE-2024-47057. Notes: All CVE users should reference CVE-2024-47057 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2025/48xxx/CVE-2025-48871.json b/2025/48xxx/CVE-2025-48871.json index 301a357bb99..ac2b2787201 100644 --- a/2025/48xxx/CVE-2025-48871.json +++ b/2025/48xxx/CVE-2025-48871.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48871", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-47056. Reason: This candidate is a duplicate of CVE-2024-47056. Notes: All CVE users should reference CVE-2024-47056 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2025/48xxx/CVE-2025-48872.json b/2025/48xxx/CVE-2025-48872.json index 6b6d058f8db..1c40807707b 100644 --- a/2025/48xxx/CVE-2025-48872.json +++ b/2025/48xxx/CVE-2025-48872.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48872", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-47055. Reason: This candidate is a duplicate of CVE-2024-47055. Notes: All CVE users should reference CVE-2024-47055 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2025/48xxx/CVE-2025-48873.json b/2025/48xxx/CVE-2025-48873.json index 536171d0f1d..b927ac01ca3 100644 --- a/2025/48xxx/CVE-2025-48873.json +++ b/2025/48xxx/CVE-2025-48873.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48873", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-5256. Reason: This candidate is a duplicate of CVE-2025-5256. Notes: All CVE users should reference CVE-2025-5256 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2025/48xxx/CVE-2025-48874.json b/2025/48xxx/CVE-2025-48874.json index 744a61307b5..2865f578bbe 100644 --- a/2025/48xxx/CVE-2025-48874.json +++ b/2025/48xxx/CVE-2025-48874.json @@ -1,17 +1,17 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48874", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "REJECT" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-5257. Reason: This candidate is a duplicate of CVE-2025-5257. Notes: All CVE users should reference CVE-2025-5257 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage." } ] } diff --git a/2025/48xxx/CVE-2025-48882.json b/2025/48xxx/CVE-2025-48882.json index aa6041ae4f8..eb0e4d014ec 100644 --- a/2025/48xxx/CVE-2025-48882.json +++ b/2025/48xxx/CVE-2025-48882.json @@ -1,18 +1,73 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48882", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-611: Improper Restriction of XML External Entity Reference", + "cweId": "CWE-611" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "PHPOffice", + "product": { + "product_data": [ + { + "product_name": "Math", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 0.3.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m", + "refsource": "MISC", + "name": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m" + }, + { + "url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a", + "refsource": "MISC", + "name": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a" + } + ] + }, + "source": { + "advisory": "GHSA-42hm-pq2f-3r7m", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2025/48xxx/CVE-2025-48946.json b/2025/48xxx/CVE-2025-48946.json index 143ef6cb9ab..6fbfe911e2e 100644 --- a/2025/48xxx/CVE-2025-48946.json +++ b/2025/48xxx/CVE-2025-48946.json @@ -1,17 +1,100 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48946", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. liboqs prior to version 0.13.0 supports the HQC algorithm, an algorithm with a theoretical design flaw which leads to large numbers of malformed ciphertexts sharing the same implicit rejection value. Currently, no concrete attack on the algorithm is known. However, prospective users of HQC must take extra care when using the algorithm in protocols involving key derivation. In particular, HQC does not provide the same security guarantees as Kyber or ML-KEM. There is currently no patch for the HQC flaw available in liboqs, so HQC is disabled by default in liboqs starting from version 0.13.0. OQS will update its implementation after the HQC team releases an updated algorithm specification." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", + "cweId": "CWE-327" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "open-quantum-safe", + "product": { + "product_data": [ + { + "product_name": "liboqs", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 0.13.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-3rxw-4v8q-9gq5", + "refsource": "MISC", + "name": "https://github.com/open-quantum-safe/liboqs/security/advisories/GHSA-3rxw-4v8q-9gq5" + }, + { + "url": "https://github.com/open-quantum-safe/liboqs/commit/a7d698ca9c9d98990647459253183cbe29c550af", + "refsource": "MISC", + "name": "https://github.com/open-quantum-safe/liboqs/commit/a7d698ca9c9d98990647459253183cbe29c550af" + }, + { + "url": "https://durumcrustulum.com/2024/02/24/how-to-hold-kems/#hqc", + "refsource": "MISC", + "name": "https://durumcrustulum.com/2024/02/24/how-to-hold-kems/#hqc" + }, + { + "url": "https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP80", + "refsource": "MISC", + "name": "https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Wiu4ZQo3fP80" + } + ] + }, + "source": { + "advisory": "GHSA-3rxw-4v8q-9gq5", + "discovery": "UNKNOWN" + }, + "impact": { + "cvss": [ + { + "attackComplexity": "HIGH", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 3.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" } ] } diff --git a/2025/48xxx/CVE-2025-48948.json b/2025/48xxx/CVE-2025-48948.json index 7f215ab08ef..611d32557d1 100644 --- a/2025/48xxx/CVE-2025-48948.json +++ b/2025/48xxx/CVE-2025-48948.json @@ -1,18 +1,78 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48948", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-863: Incorrect Authorization", + "cweId": "CWE-863" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "navidrome", + "product": { + "product_data": [ + { + "product_name": "navidrome", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "< 0.56.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3", + "refsource": "MISC", + "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-f238-rggp-82m3" + }, + { + "url": "https://github.com/navidrome/navidrome/pull/4096", + "refsource": "MISC", + "name": "https://github.com/navidrome/navidrome/pull/4096" + }, + { + "url": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8", + "refsource": "MISC", + "name": "https://github.com/navidrome/navidrome/commit/e5438552c63fecb6284e1b179dddae91ede869c8" + } + ] + }, + "source": { + "advisory": "GHSA-f238-rggp-82m3", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2025/48xxx/CVE-2025-48949.json b/2025/48xxx/CVE-2025-48949.json index fc32f51ca83..b7880bf109a 100644 --- a/2025/48xxx/CVE-2025-48949.json +++ b/2025/48xxx/CVE-2025-48949.json @@ -1,18 +1,73 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-48949", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "security-advisories@github.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the `role` parameter within the API endpoint `/api/artist`. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information. Version 0.56.0 contains a patch for the issue." } ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", + "cweId": "CWE-89" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "navidrome", + "product": { + "product_data": [ + { + "product_name": "navidrome", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": ">= 0.55.0, < 0.56.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r", + "refsource": "MISC", + "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-5wgp-vjxm-3x2r" + }, + { + "url": "https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6", + "refsource": "MISC", + "name": "https://github.com/navidrome/navidrome/commit/b19d5f0d3e079639904cac95735228f445c798b6" + } + ] + }, + "source": { + "advisory": "GHSA-5wgp-vjxm-3x2r", + "discovery": "UNKNOWN" } } \ No newline at end of file diff --git a/2025/5xxx/CVE-2025-5360.json b/2025/5xxx/CVE-2025-5360.json index e651d966f78..c0e7419907a 100644 --- a/2025/5xxx/CVE-2025-5360.json +++ b/2025/5xxx/CVE-2025-5360.json @@ -1,17 +1,123 @@ { + "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2025-5360", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "ASSIGNER": "cna@vuldb.com", + "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "A vulnerability classified as critical was found in Campcodes Online Hospital Management System 1.0. This vulnerability affects unknown code of the file /book-appointment.php. The manipulation of the argument doctor leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used." + }, + { + "lang": "deu", + "value": "In Campcodes Online Hospital Management System 1.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Datei /book-appointment.php. Durch die Manipulation des Arguments doctor mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung." + } + ] + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "SQL Injection", + "cweId": "CWE-89" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "Injection", + "cweId": "CWE-74" + } + ] + } + ] + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Campcodes", + "product": { + "product_data": [ + { + "product_name": "Online Hospital Management System", + "version": { + "version_data": [ + { + "version_affected": "=", + "version_value": "1.0" + } + ] + } + } + ] + } + } + ] + } + }, + "references": { + "reference_data": [ + { + "url": "https://vuldb.com/?id.310654", + "refsource": "MISC", + "name": "https://vuldb.com/?id.310654" + }, + { + "url": "https://vuldb.com/?ctiid.310654", + "refsource": "MISC", + "name": "https://vuldb.com/?ctiid.310654" + }, + { + "url": "https://vuldb.com/?submit.586591", + "refsource": "MISC", + "name": "https://vuldb.com/?submit.586591" + }, + { + "url": "https://github.com/ASantsSec/CVE/issues/8", + "refsource": "MISC", + "name": "https://github.com/ASantsSec/CVE/issues/8" + }, + { + "url": "https://www.campcodes.com/", + "refsource": "MISC", + "name": "https://www.campcodes.com/" + } + ] + }, + "credits": [ + { + "lang": "en", + "value": "asants (VulDB User)" + } + ], + "impact": { + "cvss": [ + { + "version": "3.1", + "baseScore": 7.3, + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "HIGH" + }, + { + "version": "3.0", + "baseScore": 7.3, + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "baseSeverity": "HIGH" + }, + { + "version": "2.0", + "baseScore": 7.5, + "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P" } ] }